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CLAIMS : 

What is claimed is: 



1. A method of controlling access to computer system 
5 resources based on permissions, comprising: 

receiving a request for access to a computer system 
resource and 

executing, on the request, a security policy 
identified by a security policy file class, 
10 wherein the security policy determines if a 

superclass permission is implied by a required permission 
in each protection domain of an access control context 
and adds the required permission to a permission 
collection if the superclass permission is implied by the 
15 required permission in each protection domain of the 

access control context, and wherein the security policy 
W grants access to the computer system resource if the 

superclass permission of the required permission is 
present in each protection domain of the access control 
y, 20 context. 



2. The method of claim 1, wherein the request is 
received from bytecode. 

25 3. The method of claim 1, further comprising: 

determining the required permission based on a 
CodeSource associated with the request. 



4. The method of claim 1, wherein the security policy 
30 determines if a superclass permission is implied by a 
required permission in each protection domain by 
determining if at least one permission collection in each 
protection domain includes the superclass permission. 
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5. The method of claim 1, wherein the security policy 
adds the required permission to a permission collection 
by creating a new permission collection and adding the 
required permission to the new permission collection. 

6. The method of claim 5, wherein the security policy 
adds the required permission to a permission collection 
by adding any subclass permissions of the required 
permission to the new permission collection. 

7. The method of claim 1, further comprising retrieving 
the access control context for a thread of execution that 
sent the request for access to the computer system 
resource . 

8. The method of claim 1, wherein the security policy 
adds the required permission to a permission collection 
by adding the permission to a permission collection 
associated with the superclass permission. 

9. A computer program product in a computer readable 
medium for controlling access to computer system 
resources based on permissions, comprising: 

first instructions for receiving a request for 
access to a computer system resource; and 

second instructions for executing, on the request, a 
security policy identified by a security policy file 
class, 

wherein the security policy includes instructions 
for determining if a superclass permission is implied by 
a required permission in each protection domain of an 
access control context and instructions for adding the 
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required permission to a permission collection if the 
superclass permission is implied by the required 
permission in each protection domain of the access 
control context, and wherein the security policy further 
5 includes instructions for granting access to the computer 
system resource if the superclass permission of the 
required permission is present in each protection domain 
of the access control context. 



10 10. The computer program product of claim 9, wherein the 
request is received from bytecode. 

© 11. The computer program product of claim 9, further 

S3 . . 

in comprising: 

15 third instructions for determining the required 

IS 

m permission based on a CodeSource associated with the 

* request. 

! W 12. The computer program product of claim 9, wherein the 

U 

;p 20 instructions in the security policy for determining if a 
superclass permission is implied by a required permission 
in each protection domain include instructions for 
determining if at least one permission collection in each 
protection domain includes the superclass permission. 

25 

13. The computer program product of claim 9, wherein the 
instructions in the security policy for adding the 
required permission to a permission collection include 
instructions for creating a new permission collection and 
30 instructions for adding the required permission to the 
new permission collection. 



Docket No. AUS920010942US1 



14. The computer program product of claim 13, wherein 
the instructions in the security policy for adding the 
required permission to a permission collection include 
instructions for adding any subclass permissions of the 
required permission to the new permission collection. 

15. The computer program product of claim 9, further 
comprising third instructions for retrieving the access 
control context for a thread of execution that sent the 
request for access to the computer system resource. 

16. The computer program product of claim 9, wherein the 
instructions in the security policy for adding the 
required permission to a permission collection include 
instructions for adding the permission to a permission 
collection associated with the superclass permission. 

17. An apparatus for controlling access to computer 
system resources based on permissions, comprising: 

means for receiving a request for access to a 
computer system resource; and 

means for executing, on the request, a security 
policy identified by a security policy file class, 

wherein the security policy determines if a 
superclass permission is implied by a required permission 
in each protection domain of an access control context 
and adds the required permission to a permission 
collection if the superclass permission is implied by the 
required permission in each protection domain of the 
access control context, and wherein the security policy 
grants access to the computer system resource if the 
superclass permission of the required permission is 
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present in each protection domain of the access control 
context . 

18. The apparatus of claim 17, wherein the request is 
received from bytecode. 

19. The apparatus of claim 17, further comprising: 
means for determining the required permission based 

on a CodeSource associated with the request. 

20. The apparatus of claim 17, wherein the security 
policy determines if a superclass permission is implied 
by a required permission in each protection domain by 
determining if at least one permission collection in each 
protection domain includes the superclass permission. 

21. The apparatus of claim 17, wherein the security 
policy adds the required permission to a permission 
collection by creating a new permission collection and 
adding the required permission to the new permission 
collection. 

22. The apparatus of claim 21, wherein the security 
policy adds the required permission to a permission 
collection by adding any subclass permissions of the 
required permission to the new permission collection. 

23. The apparatus of claim 17, further comprising means 
for retrieving the access control context for a thread of 
execution that sent the request for access to the 
computer system resource. 
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24. The apparatus of claim 17, wherein the security 
policy adds the required permission to a permission 
collection by adding the permission to a permission 
collection associated with the superclass permission. 



